You’ve been breached: Eight steps to take within the next 48 hours (free PDF)

A slow or mishandled response to a data breach can make a bad situation even worse. As soon as you discover you’ve been hacked, take these steps to help contain the damage.

From the ebook:

“A data breach itself is the second worst possible event that can occur in an organization; the mismanagement of the communication about the response is the worst.” This observation comes from Exabeam chief security strategist Steve Moore, who has tracked criminal and nation-state adversaries and led the largest healthcare breach response in history. Moore added that the time spent on a breach, including audit, regulatory, and litigation support, can last not months but years.

I previously covered 5 ways you can prepare for a breach, which can help reduce risks. If a breach still occurs despite those precautions, however, here are eight things you should do within 48 hours to manage and contain the situation as best as you can.

Regardless of the type of breach, these steps should apply—whether it involves a single device, a series of systems, or a company-wide intrusion.

Freeze everything
Take affected devices offline but do not shut them down or make any changes just yet. The goal here is to stop any ongoing activity by limiting communication to and from the impacted systems but not commit any action that might erase clues, contaminate evidence, or otherwise inadvertently aid the attacker.

In the case of virtual machines or other systems you can snapshot, I recommend doing so now so that you will have a recorded version of the system at the time the breach was occurring. You can analyze the snapshot later in an offline state.

Ensure that auditing and logging are ongoing
Ensuring that existing system auditing remains intact and has been operational will be one of the most useful steps you can take to determine the scope of the breach and devise remediation methods. If auditing has been disabled (to cover someone’s trail, for instance), restore it before proceeding. It will also assist in establishing whether breach activity is still occurring and when the breach can be safely determined to have concluded.